Microsoft's Digital Crimes Unit (DCU), Fortra, and Health Information Sharing and Analysis Center ( Health-ISAC) are taking technical and legal action to disrupt the malicious infrastructure used by criminals to facilitate their Cobalt Strike ransomware attacks.
On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing them to do so. The order allows the two companies to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers.
In a blog post to announce the partnership with Fortra, Microsoft explains how cybercriminals often exploit legitimate and popular security tools to launch malicious attacks on Cobalt Strike, such as ransomware, that can cause significant damage and disruption to organizations and individuals.
“Cobalt Strike is a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra. Sometimes, older versions of the software have been abused and altered by criminals. These illegal copies are referred to as “cracked” and have been used to launch destructive attacks, such as those against the Government of Costa Rica and the Irish Health Service Executive.
“Microsoft software development kits and APIs are abused as part of the coding of the malware as well as the criminal malware distribution infrastructure to target and mislead victims.”
Fighting Back Against Cobalt Strike Ransomware Attacks
Microsoft software development kits and APIs are also abused by cybercriminals as part of the coding of the malware and the distribution infrastructure to target and mislead victims. The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world.
Instead of disrupting the command and control of a malware family, this time, they are working with Fortra to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals. They will need to be persistent as they work to take down the cracked copies of Cobalt Strike hosted around the world.
This is an important action by Fortra to protect the legitimate use of its security tools. Microsoft is similarly committed to the legitimate use of its products and services. They also believe that Fortra choosing to partner with them for this action is recognition of DCU's work fighting cybercrime over the last decade.
Tip of the day: Is your system drive constantly full and you need to free up space regularly? Try Windows Disk Cleanup in extended mode which goes far beyond the standard procedure. Our tutorial also shows you how to create a desktop shortcut to run this advanced method right from the desktop.